OS X Drivers Reverse Engineering

•

1 gostou•2,335 visualizações

Positive Hack Days

Reverse Engineering OS X
drivers
Egor Fedoseev
May 21, 2014
PHDays, Moscow

● OS X market share grows over the time
● Kernel-land malware is scary
● Porting drivers, of course
Why do we need that

About presentation
#OSX, #C++, #IDA, #DWARF, #Python
Not exactly a rocket science. I just didn’t see
a simple OS X driver reverse engineering
tutorial yet.

About presentation
● OS X kernel overview
● Drivers overview
● Reverse engineering a driver, facing
problems
● Solving problems

● Hybrid XNU kernel (Mach + BSD + IOKit)
● Microkernel Mach
● BSD for unixness (POSIX, process model,
network stack, access conrol, filesystems,
etc.)
● IOKit for drivers
OS X kernel

● C++ subset
● Multithreaded
● Power management, driver management,
driver layering, driver interface
● Drivers, families, nubs
● Registry & Catalog
● Classes hierarchy
IO Kit

Kernel extensions
● /System/Library/Extensions
● /Library/Extensions (codesigned)
● Application bundle:
Contents/Info.plist
Contents/MacOS/
Contents/PlugIns
● Ordinary Mach-O file

Reverse engineering a driver
● http://opensource.apple.com/
● IDA
● Hopper
● kextstat, kextlibs, kextutil
● otool
● dwarfdump
● ...

● 10.9+ — x86-64 only
● Any IDA prior to 6.5 fails to parse
relocations
● Heavily C++ — fields and virtual methods
Problems

What can we do?
● Fix relocations
● Parse VMTs to get class structures
● Process dependencies
● Kernel type library

Relocations
● No comprehensive Python library to parse
Mach-O files
● Look for LC_SYMTAB, LC_DYSYMTAB
● Hopper and otool handles relocations just
fine.

VMT
● Luckily, vtables are exported symbols
● Process relocations, look for ‘_ZVT’
● Easy way to import is to serialize data into
C header file

Dependencies
● kext/Contents/Info.plist
● com.apple.kpi -> look in mach_kernel
● otherwise look in
/System/Library/Extensions
/Library/Extensions

Kernel type library
● IDA has a way to store reusable type
information — TIL
● SDK utility tilib fails to parse C++ code
● dwarf2c fails to parse C++ code
● Probably the easiest way is to parse DWARF
● DWARF parser from elftools package is good

Useful links
● http://opensource.apple.com/
● http://reverse.put.as/
● https://developer.apple.com/library/
● python macholib
● python elftools
● python dwarf2c

That's all
github.com/binchewer
domi@hackerdom.ru

Mais conteúdo relacionado

Mais procurados

The Yocto Project provides an integrated environment to develop and debug custom embedded Linux systems, similar to commercial embedded Linux development environments. In this talk, we will introduce the different parts and lexicon of the Yocto Project: poky, OpenEmbedded-core, bitbake, layers, recipes, machine, distro, etc. Different “How to” will be detailed: how to configure it, build an image from layers, create recipes and add a custom machine. Throughout the talk, many good practices will be detailed. Thanks to that, the audience will have a good overview of Yocto Project and will know how to start using it in an effective way. This talk is intended for developers or technical people who want to work/start with Yocto/Openembedded. Good practices are important when working with Yocto Project and will be detailed in this presentation. No particular knowledge is required to attend this talk. Mylène Josserand, Free Electrons

Embedded Recipes 2017 - Introduction to Yocto Project/OpenEmbedded - Mylène J...

Embedded Recipes 2017 - Introduction to Yocto Project/OpenEmbedded - Mylène J...

Embedded Recipes 2017 - Introduction to Yocto Project/OpenEmbedded - Mylène J...

Building Mini Embedded Linux System for X86 Arch

Building Mini Embedded Linux System for X86 Arch

Building Mini Embedded Linux System for X86 Arch

In our recent work we targeted also win32k, what seems to be fruit giving target. @promised_lu made our own TTF-fuzzer which comes with bunch of results in form of gigabytes of crashes and various bugs. Fortunately windows make great work and in February most of our bugs was dead - patched, but not all of them… Whats left were looking as seemingly unexploitable kernel bugs with ridiculous conditions. We decided to check it out, and finally combine it with our user mode bug & emet bypass. Through IE & flash we break down system and pointed out at weak points in defensive mechanism. In this talk we will present our research dedicated for pwn2own event this year. We will describe kernel part of exploit in detail*, including bug description, resulting memory corruption conditions & caveats up to final pwn via one of our TTF bugs. Throughout the talk we will describe how to break various exploit mitigations in windows kernel and why it is possible. We will introduce novel kernel exploitation techniques breaking all what stands { KASLR, SMEP, even imaginary SMAP or CFG } and bring you SYSTEM exec (from kernel driver to system calc). * unfortunately bug was not fixed at the time of talk, so we do not exposed details about TTF vulnerability, and we skipped directly to some challenges during exploitation, and demonstrate how OS design can overpower introduced exploit mitigations.

Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes

Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes

Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes

U Boot or Universal Bootloader

U Boot or Universal Bootloader

U Boot or Universal Bootloader

GCC LTO

Basic Linux Internals

Basic Linux Internals

Basic Linux Internals

Embedded Linux BSP Training (Intro)

Embedded Linux BSP Training (Intro)

Embedded Linux BSP Training (Intro)

RuggedBoardGroup

Linux Initialization Process (2)

Linux Initialization Process (2)

Linux Initialization Process (2)

Play with FILE Structure - Yet Another Binary Exploit Technique

Play with FILE Structure - Yet Another Binary Exploit Technique

Play with FILE Structure - Yet Another Binary Exploit Technique

Linux SMEP bypass techniques

Linux SMEP bypass techniques

Linux SMEP bypass techniques

Vitaly Nikolenko

Linux Kernel Booting Process (1) - For NLKB

Linux Kernel Booting Process (1) - For NLKB

Linux Kernel Booting Process (1) - For NLKB

What is special about community-industry collaboration around an open architecture like RISC-V is that the community can join development around key kernel subsystems in parallel with the semiconductor companies and manufacturers as they are producing the new chipsets and boards. Open silicon design, open board design, and open kernel software speeds bring-up of new boards and fosters greater innovation due to the diversity of talent contributing to the technology. For many kernel developers, tackling RISC-V is becoming harder to resist now that commercially viable and scalable hardware has begun to enter the market. A private beta program launched by the BeagleBoard Foundation in March 2021 placed an affordable, yet powerful prototype RISC-V board into the hands of Roman Shaposhnik. What did Roman do? He joined a diverse team of software and hardware hackers to tackle bringing up Linux on the new board. In this talk, Roman will tell you about his experience porting Alpine Linux and LF Edge EVE-OS to the new RISC-V architecture.

RISC-V on Edge: Porting EVE and Alpine Linux to RISC-V

RISC-V on Edge: Porting EVE and Alpine Linux to RISC-V

RISC-V on Edge: Porting EVE and Alpine Linux to RISC-V

Qemu Introduction

Qemu Introduction

Qemu Introduction

Why You Cannot Use Neural Engine to Run Your NN Models on A11 Devices?

Why You Cannot Use Neural Engine to Run Your NN Models on A11 Devices?

Why You Cannot Use Neural Engine to Run Your NN Models on A11 Devices?

Yocto Project introduction

Yocto Project introduction

Yocto Project introduction

How well does InfiniBand virtualized with SR-IOV really perform? SDSC carried out some initial application benchmarking studies and compared to the best-available commercial alternative to determine whether or not SR-IOV was a viable technology for closing the performance gap of virtualized HPC. The results were promising, and this technology will be used in Comet, SDSC's two-petaflop supercomputer being deployed in 2015.

SR-IOV: The Key Enabling Technology for Fully Virtualized HPC Clusters

SR-IOV: The Key Enabling Technology for Fully Virtualized HPC Clusters

SR-IOV: The Key Enabling Technology for Fully Virtualized HPC Clusters

Glenn K. Lockwood

Project ACRN hypervisor introduction

Project ACRN hypervisor introduction

Project ACRN hypervisor introduction

Ceph Day Beijing - SPDK for Ceph

Ceph Day Beijing - SPDK for Ceph

Ceph Day Beijing - SPDK for Ceph

Danielle Womboldt

https://coscup.org/2021/en/session/39M73K https://www.youtube.com/watch?v=L_Gyvdl_d_k Engineers have plenty of debug tools for user space programs development, code tracing, debugging and analyzing. Except “printk”, do we have any other debug tools for Linux kernel development? The “KGDB” mentioned in Linux kernel document provides another possibility. Will share how to experiment with the KGDB in a virtual machine. And, use GDB + OpenOCD + JTAG + Raspberry Pi in the real environment as the demo in this talk. 開發 user space 軟體時，工程師們有方便的 debug 工具進行查找、分析、除錯。但在 Linux kernel 的開發，除了 printk 外，還可以有哪些工具可以使用呢？從 Linux kernel document 可以看到 KGDB 相關的資訊，提供了在 kernel 除錯時的另一個可能性。本次將分享，從建立最簡單環境的虛擬機機開始，到實際使用 GDB + OpenOCD + JTAG + Raspberry Pi 當作展示範例。

Let's trace Linux Lernel with KGDB @ COSCUP 2021

Let's trace Linux Lernel with KGDB @ COSCUP 2021

Let's trace Linux Lernel with KGDB @ COSCUP 2021

LAS16 111 - Raspberry pi3, op-tee and jtag debugging

LAS16 111 - Raspberry pi3, op-tee and jtag debugging

LAS16 111 - Raspberry pi3, op-tee and jtag debugging

Mais procurados (20)

Embedded Recipes 2017 - Introduction to Yocto Project/OpenEmbedded - Mylène J...

Embedded Recipes 2017 - Introduction to Yocto Project/OpenEmbedded - Mylène J...

Embedded Recipes 2017 - Introduction to Yocto Project/OpenEmbedded - Mylène J...

Building Mini Embedded Linux System for X86 Arch

Building Mini Embedded Linux System for X86 Arch

Building Mini Embedded Linux System for X86 Arch

Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes

Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes

Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes

U Boot or Universal Bootloader

U Boot or Universal Bootloader

U Boot or Universal Bootloader

GCC LTO

Basic Linux Internals

Basic Linux Internals

Basic Linux Internals

Embedded Linux BSP Training (Intro)

Embedded Linux BSP Training (Intro)

Embedded Linux BSP Training (Intro)

Linux Initialization Process (2)

Linux Initialization Process (2)

Linux Initialization Process (2)

Play with FILE Structure - Yet Another Binary Exploit Technique

Play with FILE Structure - Yet Another Binary Exploit Technique

Play with FILE Structure - Yet Another Binary Exploit Technique

Linux SMEP bypass techniques

Linux SMEP bypass techniques

Linux SMEP bypass techniques

Linux Kernel Booting Process (1) - For NLKB

Linux Kernel Booting Process (1) - For NLKB

Linux Kernel Booting Process (1) - For NLKB

RISC-V on Edge: Porting EVE and Alpine Linux to RISC-V

RISC-V on Edge: Porting EVE and Alpine Linux to RISC-V

RISC-V on Edge: Porting EVE and Alpine Linux to RISC-V

Qemu Introduction

Qemu Introduction

Qemu Introduction

Why You Cannot Use Neural Engine to Run Your NN Models on A11 Devices?

Why You Cannot Use Neural Engine to Run Your NN Models on A11 Devices?

Why You Cannot Use Neural Engine to Run Your NN Models on A11 Devices?

Yocto Project introduction

Yocto Project introduction

Yocto Project introduction

SR-IOV: The Key Enabling Technology for Fully Virtualized HPC Clusters

SR-IOV: The Key Enabling Technology for Fully Virtualized HPC Clusters

SR-IOV: The Key Enabling Technology for Fully Virtualized HPC Clusters

Project ACRN hypervisor introduction

Project ACRN hypervisor introduction

Project ACRN hypervisor introduction

Ceph Day Beijing - SPDK for Ceph

Ceph Day Beijing - SPDK for Ceph

Ceph Day Beijing - SPDK for Ceph

Let's trace Linux Lernel with KGDB @ COSCUP 2021

Let's trace Linux Lernel with KGDB @ COSCUP 2021

Let's trace Linux Lernel with KGDB @ COSCUP 2021

LAS16 111 - Raspberry pi3, op-tee and jtag debugging

LAS16 111 - Raspberry pi3, op-tee and jtag debugging

LAS16 111 - Raspberry pi3, op-tee and jtag debugging

Semelhante a OS X Drivers Reverse Engineering

Lightweight virtualization", also called "OS-level virtualization", is not new. On Linux it evolved from VServer to OpenVZ, and, more recently, to Linux Containers (LXC). It is not Linux-specific; on FreeBSD it's called "Jails", while on Solaris it’s "Zones". Some of those have been available for a decade and are widely used to provide VPS (Virtual Private Servers), cheaper alternatives to virtual machines or physical servers. But containers have other purposes and are increasingly popular as the core components of public and private Platform-as-a-Service (PAAS), among others. Just like a virtual machine, a Linux Container can run (almost) anywhere. But containers have many advantages over VMs: they are lightweight and easier to manage. After operating a large-scale PAAS for a few years, dotCloud realized that with those advantages, containers could become the perfect format for software delivery, since that is how dotCloud delivers from their build system to their hosts. To make it happen everywhere, dotCloud open-sourced Docker, the next generation of the containers engine powering its PAAS. Docker has been extremely successful so far, being adopted by many projects in various fields: PAAS, of course, but also continuous integration, testing, and more.

"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...

"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...

"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...

Lightweight Virtualization with Linux Containers and Docker | YaC 2013

Lightweight Virtualization with Linux Containers and Docker | YaC 2013

Lightweight Virtualization with Linux Containers and Docker | YaC 2013

Lightweight Virtualization with Linux Containers and Docker I YaC 2013

Lightweight Virtualization with Linux Containers and Docker I YaC 2013

Lightweight Virtualization with Linux Containers and Docker I YaC 2013

A Gentle Introduction to Docker and Containers

A Gentle Introduction to Docker and Containers

A Gentle Introduction to Docker and Containers

Introduction to Docker and all things containers, Docker Meetup at RelateIQ

Introduction to Docker and all things containers, Docker Meetup at RelateIQ

Introduction to Docker and all things containers, Docker Meetup at RelateIQ

Docker is a runtime for Linux Containers. It enables "separation of concern" between devs and ops, and solves the "matrix from hell" of software deployment. This presentation explains it all! It also explains the role of the storage backend and compares the various backends available. It gives multiple recipes to build Docker images, including integration with configuration management software like Chef, Puppet, Salt, Ansible. If you already watched other Docker presentations, this is an actualized version (as of mid-November 2013) of the thing!

A Gentle Introduction To Docker And All Things Containers

A Gentle Introduction To Docker And All Things Containers

A Gentle Introduction To Docker And All Things Containers

Jérôme Petazzoni

Let's Containerize New York with Docker!

Let's Containerize New York with Docker!

Let's Containerize New York with Docker!

Jérôme Petazzoni

Why kernelspace sucks?

Why kernelspace sucks?

Why kernelspace sucks?

Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012

Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012

Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012

Introduction to Docker and Containers

Introduction to Docker and Containers

Introduction to Docker and Containers

Languages such as JavaScript may receive a lot of hype nowadays, but for high-performance, close-to-the-metal computing, C++ is still king. This webinar takes you on a tour of the HPC universe, with a focus on parallelism, be it instruction-level (SIMD), data-level, task-based (multithreading, OpenMP), or cluster-based (MPI). We also discuss how specific hardware can significantly accelerate computation by looking at two such technologies: NVIDIA CUDA and Intel Xeon Phi. (Some scarier tech such as FPGAs are also mentioned). These slides were used as part of May 29, 2014 webinar, High-Performance Computing with C++. You can watch the webinar on JetBrainsTV YouTube Channel - http://youtu.be/JcSrwxDb-Fs

High-Performance Computing with C++

High-Performance Computing with C++

High-Performance Computing with C++

Introduction to Docker at SF Peninsula Software Development Meetup @Guidewire

Introduction to Docker at SF Peninsula Software Development Meetup @Guidewire

Introduction to Docker at SF Peninsula Software Development Meetup @Guidewire

A bit more of PE

A bit more of PE

A bit more of PE

Decades history of kernel exploitation, however still most used techniques are such as ROP. Software based approaches comes finally challenge this technique, one more successful than the others. Those approaches usually trying to solve far more than ROP only problem, and need to handle not only security but almost more importantly performance issues. Another common attacker vector for redirecting control flow is stack what comes from design of today’s architectures, and once again some software approaches lately tackling this as well. Although this software based methods are piece of nice work and effective to big extent, new game changing approach seems coming to the light. Methodology closing this attack vector coming right from hardware - intel. We will compare this way to its software alternatives, how one interleaving another and how they can benefit from each other to challenge attacker by breaking his most fundamental technologies. However same time we go further, to challenge those approaches and show that even with those technologies in place attackers is not yet in the corner.

Ice Age melting down: Intel features considered usefull!

Ice Age melting down: Intel features considered usefull!

Ice Age melting down: Intel features considered usefull!

Binary art - Byte-ing the PE that fails you (extended offline version)

Binary art - Byte-ing the PE that fails you (extended offline version)

Binary art - Byte-ing the PE that fails you (extended offline version)

Docker and-containers-for-development-and-deployment-scale12x

Docker and-containers-for-development-and-deployment-scale12x

Docker and-containers-for-development-and-deployment-scale12x

Docker, the Open Source container Engine, lets you build, ship and run, any app, anywhere. This is the presentation which was shown in December 2014 for the last stop of the "Tour de France" in Bordeaux. It is slightly different from the presentation which was shown in the other cities (http://www.slideshare.net/jpetazzo/introduction-to-docker-december-2014-tour-de-france-edition), and includes a detailed history of dotCloud and Docker and a few other differences. Special thanks to https://twitter.com/LilliJane and https://twitter.com/zirkome, who gave me the necessary motivation to put together this slightly different presentation, since they had already seen the other presentation in Paris :-)

Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition

Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition

Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition

Jérôme Petazzoni

01 linux-quick-start

01 linux-quick-start

01 linux-quick-start

StorageOS, Storage for Containers Shouldn't Be Annoying at Container Camp UK

StorageOS, Storage for Containers Shouldn't Be Annoying at Container Camp UK

StorageOS, Storage for Containers Shouldn't Be Annoying at Container Camp UK

BSides London 2022 - Introducing varc_ Volatile Artifact Collector (2).pdf

BSides London 2022 - Introducing varc_ Volatile Artifact Collector (2).pdf

BSides London 2022 - Introducing varc_ Volatile Artifact Collector (2).pdf

Semelhante a OS X Drivers Reverse Engineering (20)

"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...

"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...

"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...

Lightweight Virtualization with Linux Containers and Docker | YaC 2013

Lightweight Virtualization with Linux Containers and Docker | YaC 2013

Lightweight Virtualization with Linux Containers and Docker | YaC 2013

Lightweight Virtualization with Linux Containers and Docker I YaC 2013

Lightweight Virtualization with Linux Containers and Docker I YaC 2013

Lightweight Virtualization with Linux Containers and Docker I YaC 2013

A Gentle Introduction to Docker and Containers

A Gentle Introduction to Docker and Containers

A Gentle Introduction to Docker and Containers

Introduction to Docker and all things containers, Docker Meetup at RelateIQ

Introduction to Docker and all things containers, Docker Meetup at RelateIQ

Introduction to Docker and all things containers, Docker Meetup at RelateIQ

A Gentle Introduction To Docker And All Things Containers

A Gentle Introduction To Docker And All Things Containers

A Gentle Introduction To Docker And All Things Containers

Let's Containerize New York with Docker!

Let's Containerize New York with Docker!

Let's Containerize New York with Docker!

Why kernelspace sucks?

Why kernelspace sucks?

Why kernelspace sucks?

Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012

Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012

Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012

Introduction to Docker and Containers

Introduction to Docker and Containers

Introduction to Docker and Containers

High-Performance Computing with C++

High-Performance Computing with C++

High-Performance Computing with C++

Introduction to Docker at SF Peninsula Software Development Meetup @Guidewire

Introduction to Docker at SF Peninsula Software Development Meetup @Guidewire

Introduction to Docker at SF Peninsula Software Development Meetup @Guidewire

A bit more of PE

A bit more of PE

A bit more of PE

Ice Age melting down: Intel features considered usefull!

Ice Age melting down: Intel features considered usefull!

Ice Age melting down: Intel features considered usefull!

Binary art - Byte-ing the PE that fails you (extended offline version)

Binary art - Byte-ing the PE that fails you (extended offline version)

Binary art - Byte-ing the PE that fails you (extended offline version)

Docker and-containers-for-development-and-deployment-scale12x

Docker and-containers-for-development-and-deployment-scale12x

Docker and-containers-for-development-and-deployment-scale12x

Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition

Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition

Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition

01 linux-quick-start

01 linux-quick-start

01 linux-quick-start

StorageOS, Storage for Containers Shouldn't Be Annoying at Container Camp UK

StorageOS, Storage for Containers Shouldn't Be Annoying at Container Camp UK

StorageOS, Storage for Containers Shouldn't Be Annoying at Container Camp UK

BSides London 2022 - Introducing varc_ Volatile Artifact Collector (2).pdf

BSides London 2022 - Introducing varc_ Volatile Artifact Collector (2).pdf

BSides London 2022 - Introducing varc_ Volatile Artifact Collector (2).pdf

Mais de Positive Hack Days

Инструмент ChangelogBuilder для автоматической подготовки Release Notes

Инструмент ChangelogBuilder для автоматической подготовки Release Notes

Инструмент ChangelogBuilder для автоматической подготовки Release Notes

Positive Hack Days

Как мы собираем проекты в выделенном окружении в Windows Docker

Как мы собираем проекты в выделенном окружении в Windows Docker

Как мы собираем проекты в выделенном окружении в Windows Docker

Positive Hack Days

Типовая сборка и деплой продуктов в Positive Technologies

Типовая сборка и деплой продуктов в Positive Technologies

Типовая сборка и деплой продуктов в Positive Technologies

Positive Hack Days

1. Что такое BI. Зачем он нужен. 2. Что такое Qlik View / Sense 3. Способ интеграции. Как это работает. 4. Метрики, KPI, планирование ресурсов команд, ретроспектива релиза продукта, тренды. 5. Подключение внешних источников данных (Excel, БД СКУД, переговорные комнаты).

Аналитика в проектах: TFS + Qlik

Аналитика в проектах: TFS + Qlik

Аналитика в проектах: TFS + Qlik

Positive Hack Days

Использование анализатора кода SonarQube

Использование анализатора кода SonarQube

Использование анализатора кода SonarQube

Positive Hack Days

Развитие сообщества Open DevOps Community

Развитие сообщества Open DevOps Community

Развитие сообщества Open DevOps Community

Positive Hack Days

Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...

Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...

Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...

Positive Hack Days

Approof — статический анализатор кода для проверки веб-приложений на наличие уязвимых компонентов. В своей работе анализатор основывается на правилах, хранящих сигнатуры искомых компонентов. В докладе рассматривается базовая структура правила для Approof и процесс автоматизации его создания.

Автоматизация построения правил для Approof

Автоматизация построения правил для Approof

Автоматизация построения правил для Approof

Positive Hack Days

Задумывались ли вы когда-нибудь о том, как устроены современные механизмы защиты приложений? Какая теория стоит за реализацией WAF и SAST? Каковы пределы их возможностей? Насколько их можно подвинуть за счет более широкого взгляда на проблематику безопасности приложений? На мастер-классе будут рассмотрены основные методы и алгоритмы двух основополагающих технологий защиты приложений — межсетевого экранирования уровня приложения и статического анализа кода. На примерах конкретных инструментов с открытым исходным кодом, разработанных специально для этого мастер-класса, будут рассмотрены проблемы, возникающие на пути у разработчиков средств защиты приложений, и возможные пути их решения, а также даны ответы на все упомянутые вопросы.

Мастер-класс «Трущобы Application Security»

Мастер-класс «Трущобы Application Security»

Мастер-класс «Трущобы Application Security»

Positive Hack Days

Формальные методы защиты приложений

Формальные методы защиты приложений

Формальные методы защиты приложений

Positive Hack Days

Эвристические методы защиты приложений

Эвристические методы защиты приложений

Эвристические методы защиты приложений

Positive Hack Days

Теоретические основы Application Security

Теоретические основы Application Security

Теоретические основы Application Security

Positive Hack Days

Разработка наукоемкого программного обеспечения отличается тем, что нет ни четкой постановки задачи, ни понимания, что получится в результате. Однако даже этом надо программировать то, что надо, и как надо. Докладчик расскажет о том, как ее команда успешно разработала и вывела в промышленную эксплуатацию несколько наукоемких продуктов, пройдя непростой путь от эксперимента, результатом которого был прототип, до промышленных версий, которые успешно продаются как на российском, так и на зарубежном рынках. Этот путь был насыщен сложностями и качественными управленческими решениями, которыми поделится докладчик

От экспериментального программирования к промышленному: путь длиной в 10 лет

От экспериментального программирования к промышленному: путь длиной в 10 лет

От экспериментального программирования к промышленному: путь длиной в 10 лет

Positive Hack Days

Немногие разработчики закладывают безопасность в архитектуру приложения на этапе проектирования. Часто для этого нет ни денег, ни времени. Еще меньше — понимания моделей нарушителя и моделей угроз. Защита приложения выходит на передний план, когда уязвимости начинают стоить денег. К этому времени приложение уже работает и внесение существенных изменений в код становится нелегкой задачей. К счастью, разработчики тоже люди, и в коде разных приложений можно встретить однотипные недостатки. В докладе речь пойдет об опасных ошибках, которые чаще всего допускают разработчики Android-приложений. Затрагиваются особенности ОС Android, приводятся примеры реальных приложений и уязвимостей в них, описываются способы устранения.

Уязвимое Android-приложение: N проверенных способов наступить на грабли

Уязвимое Android-приложение: N проверенных способов наступить на грабли

Уязвимое Android-приложение: N проверенных способов наступить на грабли

Positive Hack Days

Разработка любого софта так или иначе базируется на требованиях. Полный перечень составляют бизнес-цели приложения, различные ограничения и ожидания по качеству (их еще называют NFR). Требования к безопасности ПО относятся к последнему пункту. В ходе доклада будут рассматриваться появление этих требований, управление ими и выбор наиболее важных. Отдельно будут освещены принципы построения архитектуры приложения, при наличии таких требований и без, и продемонстрировано, как современные (и хорошо известные) подходы к проектированию приложения помогают лучше строить архитектуру приложения для минимизации ландшафта угроз.

Требования по безопасности в архитектуре ПО

Требования по безопасности в архитектуре ПО

Требования по безопасности в архитектуре ПО

Positive Hack Days

Доклад посвящен разработке корректного программного обеспечения с применением одного из видов статического анализа кода. Будут освещены вопросы применения подобных методов, их слабые стороны и ограничения, а также рассмотрены результаты, которые они могут дать. На конкретных примерах будет продемонстрировано, как выглядят разработка спецификаций для кода на языке Си и доказательство соответствия кода спецификациям.

Формальная верификация кода на языке Си

Формальная верификация кода на языке Си

Формальная верификация кода на языке Си

Positive Hack Days

Механизмы предотвращения атак в ASP.NET Core

Механизмы предотвращения атак в ASP.NET Core

Механизмы предотвращения атак в ASP.NET Core

Positive Hack Days

SOC для КИИ: израильский опыт

SOC для КИИ: израильский опыт

SOC для КИИ: израильский опыт

Positive Hack Days

Honeywell Industrial Cyber Security Lab & Services Center

Honeywell Industrial Cyber Security Lab & Services Center

Honeywell Industrial Cyber Security Lab & Services Center

Positive Hack Days

Credential stuffing и брутфорс-атаки

Credential stuffing и брутфорс-атаки

Credential stuffing и брутфорс-атаки

Positive Hack Days

Mais de Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes

Инструмент ChangelogBuilder для автоматической подготовки Release Notes

Инструмент ChangelogBuilder для автоматической подготовки Release Notes

Как мы собираем проекты в выделенном окружении в Windows Docker

Как мы собираем проекты в выделенном окружении в Windows Docker

Как мы собираем проекты в выделенном окружении в Windows Docker

Типовая сборка и деплой продуктов в Positive Technologies

Типовая сборка и деплой продуктов в Positive Technologies

Типовая сборка и деплой продуктов в Positive Technologies

Аналитика в проектах: TFS + Qlik

Аналитика в проектах: TFS + Qlik

Аналитика в проектах: TFS + Qlik

Использование анализатора кода SonarQube

Использование анализатора кода SonarQube

Использование анализатора кода SonarQube

Развитие сообщества Open DevOps Community

Развитие сообщества Open DevOps Community

Развитие сообщества Open DevOps Community

Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...

Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...

Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...

Автоматизация построения правил для Approof

Автоматизация построения правил для Approof

Автоматизация построения правил для Approof

Мастер-класс «Трущобы Application Security»

Мастер-класс «Трущобы Application Security»

Мастер-класс «Трущобы Application Security»

Формальные методы защиты приложений

Формальные методы защиты приложений

Формальные методы защиты приложений

Эвристические методы защиты приложений

Эвристические методы защиты приложений

Эвристические методы защиты приложений

Теоретические основы Application Security

Теоретические основы Application Security

Теоретические основы Application Security

От экспериментального программирования к промышленному: путь длиной в 10 лет

От экспериментального программирования к промышленному: путь длиной в 10 лет

От экспериментального программирования к промышленному: путь длиной в 10 лет

Уязвимое Android-приложение: N проверенных способов наступить на грабли

Уязвимое Android-приложение: N проверенных способов наступить на грабли

Уязвимое Android-приложение: N проверенных способов наступить на грабли

Требования по безопасности в архитектуре ПО

Требования по безопасности в архитектуре ПО

Требования по безопасности в архитектуре ПО

Формальная верификация кода на языке Си

Формальная верификация кода на языке Си

Формальная верификация кода на языке Си

Механизмы предотвращения атак в ASP.NET Core

Механизмы предотвращения атак в ASP.NET Core

Механизмы предотвращения атак в ASP.NET Core

SOC для КИИ: израильский опыт

SOC для КИИ: израильский опыт

SOC для КИИ: израильский опыт

Honeywell Industrial Cyber Security Lab & Services Center

Honeywell Industrial Cyber Security Lab & Services Center

Honeywell Industrial Cyber Security Lab & Services Center

Credential stuffing и брутфорс-атаки

Credential stuffing и брутфорс-атаки

Credential stuffing и брутфорс-атаки

Último

Real Time Object Detection Using Open CV

Real Time Object Detection Using Open CV

Real Time Object Detection Using Open CV

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

This presentation explores the impact of HTML injection attacks on web applications, detailing how attackers exploit vulnerabilities to inject malicious code into web pages. Learn about the potential consequences of such attacks and discover effective mitigation strategies to protect your web applications from HTML injection vulnerabilities. for more information visit https://bostoninstituteofanalytics.org/category/cyber-security-ethical-hacking/

HTML Injection Attacks: Impact and Mitigation Strategies

HTML Injection Attacks: Impact and Mitigation Strategies

HTML Injection Attacks: Impact and Mitigation Strategies

Boston Institute of Analytics

Imagine a world where information flows as swiftly as thought itself, making decision-making as fluid as the data driving it. Every moment is critical, and the right tools can significantly boost your organization’s performance. The power of real-time data automation through FME can turn this vision into reality. Aimed at professionals eager to leverage real-time data for enhanced decision-making and efficiency, this webinar will cover the essentials of real-time data and its significance. We’ll explore: FME’s role in real-time event processing, from data intake and analysis to transformation and reporting An overview of leveraging streams vs. automations FME’s impact across various industries highlighted by real-life case studies Live demonstrations on setting up FME workflows for real-time data Practical advice on getting started, best practices, and tips for effective implementation Join us to enhance your skills in real-time data automation with FME, and take your operational capabilities to the next level.

From Event to Action: Accelerate Your Decision Making with Real-Time Automation

From Event to Action: Accelerate Your Decision Making with Real-Time Automation

From Event to Action: Accelerate Your Decision Making with Real-Time Automation

Tech Trends Report 2024 Future Today Institute.pdf

Tech Trends Report 2024 Future Today Institute.pdf

Tech Trends Report 2024 Future Today Institute.pdf

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

Axa Assurance Maroc - Insurer Innovation Award 2024

Axa Assurance Maroc - Insurer Innovation Award 2024

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

How to Troubleshoot Apps for the Modern Connected Worker

How to Troubleshoot Apps for the Modern Connected Worker

How to Troubleshoot Apps for the Modern Connected Worker

As privacy and data protection regulations evolve rapidly, organizations operating in multiple jurisdictions face mounting challenges to ensure compliance and safeguard customer data. With state-specific privacy laws coming up in multiple states this year, it is essential to understand what their unique data protection regulations will require clearly. How will data privacy evolve in the US in 2024? How to stay compliant? Our panellists will guide you through the intricacies of these states' specific data privacy laws, clarifying complex legal frameworks and compliance requirements. This webinar will review: - The essential aspects of each state's privacy landscape and the latest updates - Common compliance challenges faced by organizations operating in multiple states and best practices to achieve regulatory adherence - Valuable insights into potential changes to existing regulations and prepare your organization for the evolving landscape

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

AWS Community Day CPH - Three problems of Terraform

AWS Community Day CPH - Three problems of Terraform

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

GenAI Risks & Security Meetup 01052024.pdf

GenAI Risks & Security Meetup 01052024.pdf

GenAI Risks & Security Meetup 01052024.pdf

💉💊+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHABI}}+971581248768 +971581248768 Mtp-Kit (500MG) Prices » Dubai [(+971581248768**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Maya Whatsapp +971581248768 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971581248768''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971581248768' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Cl

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@

Scaling API-first – The story of a global engineering organization

Scaling API-first – The story of a global engineering organization

Scaling API-first – The story of a global engineering organization

Developing An App To Navigate The Roads of Brazil

Developing An App To Navigate The Roads of Brazil

Developing An App To Navigate The Roads of Brazil

Created by Mozilla Research in 2012 and now part of Linux Foundation Europe, the Servo project is an experimental rendering engine written in Rust. It combines memory safety and concurrency to create an independent, modular, and embeddable rendering engine that adheres to web standards. Stewardship of Servo moved from Mozilla Research to the Linux Foundation in 2020, where its mission remains unchanged. After some slow years, in 2023 there has been renewed activity on the project, with a roadmap now focused on improving the engine’s CSS 2 conformance, exploring Android support, and making Servo a practical embeddable rendering engine. In this presentation, Rakhi Sharma reviews the status of the project, our recent developments in 2023, our collaboration with Tauri to make Servo an easy-to-use embeddable rendering engine, and our plans for the future to make Servo an alternative web rendering engine for the embedded devices industry. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://ossna2024.sched.com/event/1aBNF/a-year-of-servo-reboot-where-are-we-now-rakhi-sharma-igalia

A Year of the Servo Reboot: Where Are We Now?

A Year of the Servo Reboot: Where Are We Now?

A Year of the Servo Reboot: Where Are We Now?

With more memory available, system performance of three Dell devices increased, which can translate to a better user experience Conclusion When your system has plenty of RAM to meet your needs, you can efficiently access the applications and data you need to finish projects and to-do lists without sacrificing time and focus. Our test results show that with more memory available, three Dell PCs delivered better performance and took less time to complete the Procyon Office Productivity benchmark. These advantages translate to users being able to complete workflows more quickly and multitask more easily. Whether you need the mobility of the Latitude 5440, the creative capabilities of the Precision 3470, or the high performance of the OptiPlex Tower Plus 7010, configuring your system with more RAM can help keep processes running smoothly, enabling you to do more without compromising performance.

Boost PC performance: How more available memory can improve productivity

Boost PC performance: How more available memory can improve productivity

Boost PC performance: How more available memory can improve productivity

Principled Technologies

MySQL Webinar, presented on the 25th of April, 2024. Summary: MySQL solutions enable the deployment of diverse Database Architectures tailored to specific needs, including High Availability, Disaster Recovery, and Read Scale-Out. With MySQL Shell's AdminAPI, administrators can seamlessly set up, manage, and monitor these solutions, ensuring efficiency and ease of use in their administration. MySQL Router, on the other hand, provides transparent routing from the application traffic to the backend servers in the architectures, requiring minimal configuration. Completely built in-house and supported by Oracle, these solutions have been adopted by enterprises of all sizes for their business-critical applications. In this presentation, we'll delve into various database architecture solutions to help you choose the right one based on your business requirements. Focusing on technical details and the latest features to maximize the potential of these solutions.

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

What is a good lead in your organisation? Which leads are priority? What happens to leads? When sales and marketing give different answers to these questions, or perhaps aren't sure of the answers at all, frustrations build and opportunities are left on the table. Join us for an illuminating session with Cian McLoughlin, HubSpot Principal Customer Success Manager, as we look at that crucial piece of the customer journey in which leads are transferred from marketing to sales.

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx

GenCyber Cyber Security Day Presentation

GenCyber Cyber Security Day Presentation

GenCyber Cyber Security Day Presentation

Michael W. Hawkins

Último (20)

Real Time Object Detection Using Open CV

Real Time Object Detection Using Open CV

Real Time Object Detection Using Open CV

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

HTML Injection Attacks: Impact and Mitigation Strategies

HTML Injection Attacks: Impact and Mitigation Strategies

HTML Injection Attacks: Impact and Mitigation Strategies

From Event to Action: Accelerate Your Decision Making with Real-Time Automation

From Event to Action: Accelerate Your Decision Making with Real-Time Automation

From Event to Action: Accelerate Your Decision Making with Real-Time Automation

Tech Trends Report 2024 Future Today Institute.pdf

Tech Trends Report 2024 Future Today Institute.pdf

Tech Trends Report 2024 Future Today Institute.pdf

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

Axa Assurance Maroc - Insurer Innovation Award 2024

Axa Assurance Maroc - Insurer Innovation Award 2024

Axa Assurance Maroc - Insurer Innovation Award 2024

How to Troubleshoot Apps for the Modern Connected Worker

How to Troubleshoot Apps for the Modern Connected Worker

How to Troubleshoot Apps for the Modern Connected Worker

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

AWS Community Day CPH - Three problems of Terraform

AWS Community Day CPH - Three problems of Terraform

AWS Community Day CPH - Three problems of Terraform

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

GenAI Risks & Security Meetup 01052024.pdf

GenAI Risks & Security Meetup 01052024.pdf

GenAI Risks & Security Meetup 01052024.pdf

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

Scaling API-first – The story of a global engineering organization

Scaling API-first – The story of a global engineering organization

Scaling API-first – The story of a global engineering organization

Developing An App To Navigate The Roads of Brazil

Developing An App To Navigate The Roads of Brazil

Developing An App To Navigate The Roads of Brazil

A Year of the Servo Reboot: Where Are We Now?

A Year of the Servo Reboot: Where Are We Now?

A Year of the Servo Reboot: Where Are We Now?

Boost PC performance: How more available memory can improve productivity

Boost PC performance: How more available memory can improve productivity

Boost PC performance: How more available memory can improve productivity

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx

GenCyber Cyber Security Day Presentation

GenCyber Cyber Security Day Presentation

GenCyber Cyber Security Day Presentation

OS X Drivers Reverse Engineering

1. Reverse Engineering OS X drivers Egor Fedoseev May 21, 2014 PHDays, Moscow

2. ● OS X market share grows over the time ● Kernel-land malware is scary ● Porting drivers, of course Why do we need that

3. About presentation #OSX, #C++, #IDA, #DWARF, #Python Not exactly a rocket science. I just didn’t see a simple OS X driver reverse engineering tutorial yet.

4. About presentation ● OS X kernel overview ● Drivers overview ● Reverse engineering a driver, facing problems ● Solving problems

5. ● Hybrid XNU kernel (Mach + BSD + IOKit) ● Microkernel Mach ● BSD for unixness (POSIX, process model, network stack, access conrol, filesystems, etc.) ● IOKit for drivers OS X kernel

6. ● C++ subset ● Multithreaded ● Power management, driver management, driver layering, driver interface ● Drivers, families, nubs ● Registry & Catalog ● Classes hierarchy IO Kit

7.

8. Kernel extensions ● /System/Library/Extensions ● /Library/Extensions (codesigned) ● Application bundle: Contents/Info.plist Contents/MacOS/ Contents/PlugIns ● Ordinary Mach-O file

9. Reverse engineering a driver ● http://opensource.apple.com/ ● IDA ● Hopper ● kextstat, kextlibs, kextutil ● otool ● dwarfdump ● ...

10. ● 10.9+ — x86-64 only ● Any IDA prior to 6.5 fails to parse relocations ● Heavily C++ — fields and virtual methods Problems

11. What can we do? ● Fix relocations ● Parse VMTs to get class structures ● Process dependencies ● Kernel type library

12. Relocations ● No comprehensive Python library to parse Mach-O files ● Look for LC_SYMTAB, LC_DYSYMTAB ● Hopper and otool handles relocations just fine.

13. VMT ● Luckily, vtables are exported symbols ● Process relocations, look for ‘_ZVT’ ● Easy way to import is to serialize data into C header file

14. Dependencies ● kext/Contents/Info.plist ● com.apple.kpi -> look in mach_kernel ● otherwise look in /System/Library/Extensions /Library/Extensions

15. Kernel type library ● IDA has a way to store reusable type information — TIL ● SDK utility tilib fails to parse C++ code ● dwarf2c fails to parse C++ code ● Probably the easiest way is to parse DWARF ● DWARF parser from elftools package is good

16. Useful links ● http://opensource.apple.com/ ● http://reverse.put.as/ ● https://developer.apple.com/library/ ● python macholib ● python elftools ● python dwarf2c

17. That's all github.com/binchewer domi@hackerdom.ru